Exploit software is released one month after the serious weakness came to light.

Security consultants have independently confirmed a serious security weakness that makes it trivial for hackers with physical control of many computers sold by Dell, Acer, and at least 14 other manufacturers to quickly recover Windows account passwords.

The vulnerability is contained in multiple versions of fingerprint-reading software known as UPEK Protector Suite. In July, Apple paid $356 million to buy Authentec, the Melbourne, Florida-based company that acquired the technology from privately held UPEK in 2010. The weakness came to light no later than September, but Apple has yet to acknowledge it or warn end users how to work around it. No one has accused Apple of being responsible for the underlying design of fingerprint-reading software.

The UPEK software has long been marketed as a secure means for logging into Windows computers using an owner's unique fingerprint, instead of a user-memorized password. Last month, Elcomsoft, a Russia-based developer of password-cracking software, warned that the software makes users less secure than they otherwise would be because it stores Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve. It takes only seconds for people with the key to extract a password, company officials said. They withheld technical details to prevent the vulnerability from being widely exploited.

Now, a pair of security consultants say they have independently verified the vulnerability and released open-source software that makes it easy to exploit it. Easily decrypted passwords are stored in one of several registry keys located in HKEY_LOCAL_MACHINE\Software\Virtual Token\Passport\, depending on the application version. The duo said they released the software and additional information so that penetration testers, who are paid to penetrate the defenses of their customers, can exploit the weakness.

"From a penetration testing perspective, local administrator access is required to obtain the necessary registry key's value, so it only matters if you already have control of the PC," Brandon Wilson, one of the security consultants, told Ars. "But since so many of these devices are used in corporate environments, it makes it easy to obtain domain credentials, and from there, easily expand an attack to other systems."

When Protector Suite isn't activated, Windows doesn't store account passwords in the registry unless users have specifically configured an account to automatically log in. Security experts have long counseled people not to use automatic log in. Disabling Windows login functionality from within Protector Suite will not remove the password from the registry key, the penetration testers confirmed. If the "passport" for that user is deleted from within the application, the password is also deleted. When uninstalling the application, an option is presented to the user to also delete the passport data. If left, the password remains, and if removed, the password is deleted, Wilson said.

According to Wilson, every version of the software labeled "UPEK Protector Suite" that he and fellow penetration tester Adam Caudill have analyzed has tested positive for the vulnerability. In addition to Dell and Acer, other PC makers that preinstall the software include Amoi, Asus, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony, and Toshiba. UPEK Protector Suite is also rebranded by Lenovo as ThinkVantage Fingerprint Software, Wilson said.

Given the claims made in the UPEK software that it's a safe alternative to account logins, it's surprising there has been no recall or an advisory warning of the vulnerability. Representatives from Apple and Authentec didn't respond to an e-mail seeking comment for this brief.

Update October 11, 2012: As reported elsewhere on Wednesday night, Authentic issued a patch for UPEK Protector Suite in mid September. Adam Caudill, one of the penetration testers who independently confirmed the vulnerability, told Ars they were unaware of that release until Wednesday night. In an e-mail, he described the patch as a "band-aid" because under the new version, passwords are protected using encryption that's trivial to brute force. More details from the Threat Post blog are here. What's more, the patch has yet to be pushed out to many users, and Ars isn't aware of any advisories warning of the vulnerability or advising users to install the newer version.

Promoted Comments

The "owned by Apple" is a nice touch of link bait. Bet Ars gets 10x the hits for using the headline to imply some kind of conspiracy or negligence on Apple's part.

What do you want them to do, pretend Apple doesn't own the company or bury that information just to protect your sensibilities? Apple owns the company, end of story. And if any other major computer firm had owned it, I'm sure that would have been mentioned in the headline, too, because it happens to be the most salient fact about the chain of corporate command, which is something everybody wants to know when there is a major exploit.

LOL at the title. Apple just bought Authentec in July (~3 months ago) and all of a sudden people quickly label it as Apple's fault. Motorola Mobility news, however, still gets titled Motorola instead of Google.

I'm usually frustrated by complaints of "linkbait", because generally I feel that if not quite black-and-white, ARS has been treading through the grey area. This one seems over the line though: there's no reason to implicate Apple in this when they've only owned the company since July.

In July, Apple paid $356 million to buy Authentec, the Melbourne, Florida-based company that acquired the technology from privately held UPEK in 2010.

The UPEK software has long been marketed as a secure means for logging into Windows computers...

So the vulnerability has been around for years [I assume that is what 'long' implies], and is only "discovered" - or at least, publically announced - a -month- [edit: okay, two months] after Apple buys the rights to the technology, and "Apple-owned" is prominent in the headline?

Its not like Apple is going to place encrypted passwords in the 'registry' of any of their devices, is it?

OK, I'll bite an make Apple the topic: Why did Apple buy the company then? I hope not to gain security know how because they obviously lack it.

I'd guess there's a patent portfolio involved somewhere. I doubt this company has implemented something Apple couldn't do itself very easily, and the existing Windows product base is probably useless to them.

Yes, this article is probably going to be trolled hard, but I fail to see the point of people rushing in with a half-dozen "here come the trollz!" posts. Is that some sort of flinch response or something?

Its not like Apple is going to place encrypted passwords in the 'registry' of any of their devices, is it?

The Apple keychain (and 1Password, and KeePass) store encrypted passwords that are secured with a password that is not stored on the same device. From the description here, I get the impression that this fingerprint software looks at your fingerprint, decides its good enough, and then whips out the master key from behind its back - if so, it was completely insecure by design. Am I missing something here? Could it really be that bad?

I'm not sure it's really Apple's fault that an unrelated group produced vulnerable code prior to being acquired. Apple has shown that its core competence is not Windows software anyway.

But hey, I hear the bandwagon coming!

I've been an Ars reader for a few years only but really just signed up to say that and what other commenters have said.

I get that you would want to mention the relation in the article and maybe the subtitle, but it seems to me that mentioning it in the title is clickbait at best, trollbait at worse.

I probably used one or two computers with fingerprint sensors from that particular vendor, and yet this title doesn't draw my attention into reading the article because the Apple ownership is so new that most people probably don't even know of the relation.

A better title would have been "Confirmed: Ubiquitous fingerprint software exposes Windows passwords", not much different, but to the point and much more accurate, don't you think?

Title is total linkbait and Ars should know better, there's enough grief in the comments when it's a "pro-Apple" linkbait title. If Ars is serious about the generally high quality of comment thread content, you'd knock it off with the absurd linkbaiting. The only thing it does it to get dicks like me to complain, and give the pro/anti crowd an excuse to spend the entire thread fighting their little fandom wars.

edit: Besides, you don't need to do it. That's the really annoying part.

This isn't news.... it has been known for quite awhile that this is a problem with how Upek stores passwords in the registry. I first read about this over six months ago.

The only part that is in fact news is the release of an exploit. I guess in theory you could physically remove a hard drive from a domain connected computer and put it into a standalone to which you have admin access. You could then hive load the registry and sniff out the password giving you valid login credentials into the Windows domain that you didn't have before. Otherwise you have to have local administrator privileges on the machine to access the password string in the registry.

It is an issue that should be corrected, but it is not the end of the world.

I'm really not one to ever say things like this but I'm seriously disappointed in whatever editorial decision led to the headline of this article. I was already familiar with this story from previous coverage on Ars and clicked the link expecting to hear about a different vulnerability in a piece of software other than UPEK. I was of course dismayed to find that it was simply a sensationalist bit of name-dropping.

In most forums that could reasonably be considered trolling. Sure it's a fact, but it's a fact that has absolutely ZERO to do with the actual subject matter of the article.

OK, I'll bite an make Apple the topic: Why did Apple buy the company then? I hope not to gain security know how because they obviously lack it.

From what the rumors sounded like, they wanted some kind of hardware for integration into a product.

Apple usually throws away software it acquires. Given that their strength already is in software, they usually figure they can write something better themselves, or let the acquired people re-write it under their watch.

They're usually more interested in patents, very specific hardware know-how and in making a company's products unavailable to the competition.

Usually physical access will not allow someone to find out what the login password is, which is an important distinction since that login password might also be used elsewhere to access things you do not have physical access to.

Also... isn't this the company Apple only purchased just recently and has informed all it's customers that they need to start looking for business elsewhere, because it's going to be shut down?

OK, I'll bite an make Apple the topic: Why did Apple buy the company then? I hope not to gain security know how because they obviously lack it.

From what the rumors sounded like, they wanted some kind of hardware for integration into a product.

Apple usually throws away software it acquires. Given that their strength already is in software, they usually figure they can write something better themselves, or let the acquired people re-write it under their watch.

They're usually more interested in patents, very specific hardware know-how and in making a company's products unavailable to the competition.

Yeah, more likely they were only interested in the patents, and maybe also the engineering talent (doesn't sound like it though, after learning about this exploit).

Apparently Authentec's existing customers (dell, hp, etc) are freaking out a bit, because Apple is probably going to shutdown Authentec, they need to find a competitor. Trouble is, Authentec has important patents so there isn't really any viable competition unless they can convince Apple to license the patents.

I agree with several posters who said Apple likely bought the company for its IP portfolio as a defensive patent strategy rather than some sinister or underhanded motive. If anything, they might have not put enough due diligence into the company's products before the purchase - but that's a reach.

On the other hand, railing against Ars because they named a rather famous parent company in a headline is a bit ridiculous. If Microsoft was the parent company would you be as indignant?

The "owned by Apple" is a nice touch of link bait. Bet Ars gets 10x the hits for using the headline to imply some kind of conspiracy or negligence on Apple's part.

True, but it works both ways.Just because they purchased the company is Apple not responsible for the quality of what is now THEIR software?Apple may not be at fault for the design flaw, but they're sure at fault for not identifying it and fixing it.Especially if their quality standards are actually higher than other company's (as they would have us believe).There's also a case for their inability to identify the poor quality of their initial investment.They bought a company with shit for code, and didn't improve it.That says more about Apple than the flaw that they're not responsible for creating.

I'm not sure it's really Apple's fault that an unrelated group produced vulnerable code prior to being acquired. Apple has shown that its core competence is not Windows software anyway.

But hey, I hear the bandwagon coming!

I'm pretty sure no rational person will blame apple for CREATING the flaw.

But...Apple chose the company as a good investment, and THAT mistake is theirs.And Apple HELD the company without either identifying, or fixing the flaw.

When it comes to software, there's only so far you can blame the platform.And everyone knows the windows registry isn't a secure storage medium.And even first year CS students know that brute-forcing of key encrypted passwords is quite trivial.So Apple engineers damn well would(should) know this (there's no excuse not to).

Apple touts a high quality standard in their products, so it's not unreasonable to expect them to deliver (and even in the case of acquired software, IMPROVE it and raise it to their touted standard).

On the other hand, railing against Ars because they named a rather famous parent company in a headline is a bit ridiculous. If Microsoft was the parent company would you be as indignant?

Yeah. When the company in question was acquired only a few months ago, you could substitute Microsoft, Google, or whoever you want as the "parent company" in the headline; it would still be cheap linkbait. It's sensationalistic and at odds with the actual story it's supposed to be summarizing.

I come to Ars to get away from that crap, so seeing something like this here is deeply disappointing.